Privacy Policy

Last updated: March 2026

1. Controller

Latrock GmbH
Im Obergrund 2, 65232 Taunusstein
Email: contact@zeitbro.com

("we", "us", "our") is the controller within the meaning of Art. 4(7) GDPR for the processing of personal data described below.

We are not required to appoint a Data Protection Officer under Art. 37 GDPR. For data protection inquiries, contact us at contact@zeitbro.com.

Competent supervisory authority:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
https://datenschutz.hessen.de

2. What Data We Collect

2.1 Account Data

When you register, we collect:

  • Name
  • Email address
  • Hashed password (for email/password sign-up)
  • OAuth profile information (for social sign-up via Google or GitHub)

2.2 Usage Data

When you use the service, we process:

  • Time entries (come/leave times, pause, work minutes, status)
  • Project tasks and durations
  • User settings and preferences
  • Device identifiers and heartbeat timestamps for timer conflict prevention

2.3 Technical Data

Our infrastructure providers may automatically collect:

  • IP address
  • Browser type and version
  • Device information
  • Timestamps of requests

3. Legal Basis (Art. 6 GDPR)

We process your data on the following legal bases:

  • Art. 6(1)(b) GDPR - Performance of contract: processing necessary to provide the time tracking service you signed up for.
  • Art. 6(1)(f) GDPR - Legitimate interest: technical logging for security and service stability.

3.1 Automated Decision-Making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

4. Data Processors

We use the following third-party processors. A data processing agreement pursuant to Art. 28 GDPR is in place with each processor.

  • Convex, Inc. (USA, data hosted in EU) - Backend database and serverless functions
  • Vercel, Inc. (USA, data hosted in EU) - Web application hosting
  • Mailgun Technologies, Inc. (USA, data hosted in EU) - Transactional email delivery

5. International Data Transfers

All data processors store and process your data within the European Union. The processor companies are headquartered in the USA and participate in the EU-US Data Privacy Framework.

6. Cookies

We use only strictly necessary cookies for authentication (session tokens). We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive.

If we introduce non-essential cookies in the future, we will implement a consent mechanism before activation.

7. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Data transmission encryption (TLS/HTTPS)
  • Encryption at rest for stored data
  • Hashed password storage (bcrypt)
  • Access control based on the principle of least privilege
  • Regular security reviews of our infrastructure

8. Data Retention & Breach Notification

We retain your data for as long as your account exists. When you delete your account, all personal data is deleted. We may retain anonymized, aggregated data for service improvement and analytics purposes.

Technical log data (server logs) is retained for a maximum of 90 days. If we introduce payment features in the future, billing data will be retained in accordance with commercial and tax law retention periods (10 years, HGB/AO).

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR. The competent supervisory authority will be informed within 72 hours in accordance with Art. 33 GDPR.

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR)
  • Withdraw consent at any time with future effect (Art. 7(3) GDPR)

To exercise your rights, email contact@zeitbro.com. We will respond within one month (Art. 12(3) GDPR). You can export your data from Settings at any time.

10. Changes

We may update this privacy policy from time to time. We will notify you of material changes by email or through the service. Material changes require re-acceptance through the Service.